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main principles: 
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4. Threat intelligence sharing to minimize the spread of attacks by providing 
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Introduction 


I: rapid adoption of SaaS-based applications in orga- 
nizations today continues at a breakneck pace. These 
applications provide critical functionality and enable 
greater productivity, but at the same time introduce poten- 
tial new security and data theft risks if not properly 
controlled. 


Individual users, cross-functional teams, and even entire 
departments, frequently use unsanctioned Software-as-a- 
Service (SaaS) applications, thus creating a “shadow IT” 
environment within the organization and perpetuating a 
“cat-and-mouse” relationship that often exists between IT 
security and end-users. 


For example, a geographically dispersed team might use Box 
to collaborate on an important project. The team puts forth 
a great deal of effort attempting to circumvent the organiza- 
tion’s “burdensome” change management and approval pro- 
cesses, while the IT security group struggles to maintain the 
visibility and control necessary to protect the organization 
and its (or its customers’) sensitive data. 


Even when organizations adopt a formal cloud strategy 
replete with sanctioned SaaS applications, such as GitHub 
and Salesforce — as well as Dropbox, Google Drive, and many 
others — security challenges abound. 


The network perimeter, long held sacred by IT security practi- 
tioners, is no longer enough to protect your network and data. 
With cloud computing, your applications and data could be 
anywhere. As such, the network perimeter must now be com- 
posed of many more perimeters — in the public cloud and 

the private cloud, in SaaS environments, in the physical data 
center core, and on mobile devices, among others — each 
with unique security requirements. 
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Beginning with the traditional network perimeter, corporate 
firewalls must provide complete visibility of the network. With 
a full understanding of the applications and traffic on your 
network, you can then return to a positive control model with 
policies that define sanctioned and unsanctioned apps and 
usage on the network. 


Finally, to safely enable SaaS applications, IT security must 
have the tools to effectively manage and secure SaaS usage in 
its organizations. Such tools provide the following: 


Complete visibility across all user, folder, and file activity 
within SaaS applications 


¥ Detailed analysis and analytics on usage to prevent data 
risk and compliance violations 


Granular context-aware policy control to drive enforce- 
ment and quarantine of users and data as soon as a viola- 
tion occurs 


Real-time threat intelligence on known and unknown 
threats to prevent new SaaS-based insertion points for 
malware “in the wild” 


These capabilities can only be effectively delivered in a cloud- 
based platform with the ability to connect to SaaS application 
services anywhere and everywhere. New and evolving threats 
are using the agility and ubiquity of the cloud to propagate 
rapidly in traditional data centers and in the cloud — your 
SaaS security solution needs to leverage that same agility and 
ubiquity (“fight fire with fire”). 


About This Gook 


This book explores the rapid growth of SaaS application ser- 
vices in organizations (Chapter 1), describes how to uncover 
SaaS usage in your network and specific SaaS security risks 
(Chapter 2), explains how to control SaaS usage (Chapter 3) 
and protect sanctioned SaaS in your organization (Chapter 4), 
and looks at SaaS security challenges that every organization 
must address (Chapter 5). 
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Finally, if you get lost in all the acronyms and technical terms 
used throughout the book, there’s a glossary in the back of 
the book to help you out. 


Foolish Assumptions 


It’s been said that most assumptions have outlived their use- 
lessness, but I assume a few things nonetheless! 


Mainly, I assume that you work in information technology for 
an organization of some sort — perhaps a small or medium 
business, large enterprise, nonprofit, military, or government 
agency. As such, this book is written primarily for technical 
readers who know a little something about network security. 


I also assume that you’re looking for security solutions that 
will help you address the visibility and control challenges 
that most organizations today are facing when it comes to 
cloud-based technologies, specifically SaaS-based applica- 
tions. Whether or not your organization has wholeheartedly 
embraced the cloud and adopted a cloud strategy, your users 
no doubt have and are already using SaaS applications — 
whether sanctioned by your organization or not. 


If any of the above assumptions describes you, this book is for 
you! If none of these assumptions describes you, keep reading 
anyway. It’s a great book and when you finish reading it you'll 

know a few things about securing SaaS applications and keep- 

ing sensitive data safe in the cloud. 


Icons Used in This Book 


Throughout this book, I occasionally use special icons to call 
attention to important information. Here’s what to expect: 


se This icon points out information that you should commit to 
your nonvolatile memory, your gray matter, or your noggin’ — 
along with anniversaries and birthdays! 
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You won’t find a map of the human genome here, but if you 
seek to attain the seventh level of NERD-vana, perk up! This 
icon explains the jargon beneath the jargon! 


Thank you for reading, hope you enjoy the book, please take 
care of your writers! Seriously, this icon points out helpful 
suggestions and useful nuggets of information. 


This icon points out the stuff your mother warned you 
about. Okay, probably not. But you should take heed 
nonetheless — you may just save yourself some time and 
frustration! 


Beyond the Book 


There’s only so much I can cover in 72 short pages, so if you 
find yourself at the end of this book, thinking, “Gosh, this was 
an amazing book, where can I learn more?” just go to www. 
paloaltonetworks.com. 


Where to Go from Here 


With my apologies to Lewis Carroll, Alice, and the Cheshire cat: 


“Would you tell me, please, which way I ought to go from 
here?” 


“That depends a good deal on where you want to get to,” said 
the Cat — er, the Dummies Man. 


“IT don’t much care where... ,” said Alice. 
“Then it doesn’t matter which way you go!” 
That’s certainly true of Securing SaaS For Dummies, which, 


like Alice in Wonderland, is also destined to become a timeless 
classic! 


Introduction 


If you don’t know where you’re going, any chapter will get 
you there — but Chapter 1 might be a good place to start! 
However, if you see a particular topic that piques your inter- 
est, feel free to jump ahead to that chapter. I promise you 
won't get lost falling down the rabbit hole! 


5 


6 Securing SaaS For Dummies, Palo Alto Networks Edition 


Chapter 1 


Understanding the 
SaaS Market 


In This Chapter 
Observing the rising use of SaaS cloud apps 
Weighing the benefits and risks of SaaS 


J n this chapter, you look at the explosive growth of SaaS 
applications in networks everywhere, and the benefits and 
risks associated with SaaS applications. 


SaaS Usage Growth 


The popularity of cloud computing service models, in general, 
continues to grow, while SaaS application services, in par- 
ticular, are surging. A recent Gartner survey found that alter- 
native consumption models, including SaaS, hosted license, 
on-premises subscriptions and open source, accounted for 
more than half of new enterprise software implementations. 
Gartner further predicts that 


By 2019, approximately 28 percent of installed human 
capital management (HCM) systems globally will be SaaS- 
based. 


By 2020, approximately 25 percent of organizations in 
emerging regions will run their core customer relation- 
ship management (CRM) systems in the cloud. In North 
America, cloud-based CRM is already commonplace in 
enterprises. 
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Clearing the air about cloud 
computing service and 
deployment models 


The three cloud computing service 
models defined by NIST are 


Software as a Service (SaaS): 


Customers are provided access 
to an application running on a 
cloud infrastructure. The appli- 
cation is accessible from various 
client devices and interfaces, 
but the customer has no knowl- 
edge of, and does not manage 
or control, the underlying cloud 
infrastructure. The customer 
may have access to limited user- 
specific application settings, and 
security of the customer's data 
is still the responsibility of the 
customer. 


Platform as a Service (PaaS): 
Customers can deploy supported 
applications onto the provider's 
cloud infrastructure, but the cus- 
tomer has no knowledge of, and 
does not manage or control, the 
underlying cloud infrastructure. 
The customer has control over 
the deployed applications and 
limited configuration settings for 
the application-hosting environ- 
ment. The company owns the 
deployed applications and data, 
and is therefore responsible for 
the security of those applica- 
tions and data. 


ak 


Infrastructure as a Service 
(laaS): Customers can provision 
processing, storage, networks, 
and other computing resources 
and deploy and run operating 
systems and applications, but 
the customer has no knowl- 
edge of, and does not manage 
or control, the underlying cloud 
infrastructure. The customer has 
control over operating systems, 
storage, and deployed applica- 
tions, as well as some network- 
ing components (for example, 
host firewalls). The company 
owns the deployed applica- 
tions and data, and is therefore 
responsible for the security of 
those applications and data. 


NIST defines four cloud computing 
deployment models: 


a 


al 


Public: A cloud infrastructure 
that is open to use by the gen- 
eral public. It's owned, managed, 
and operated by a third party (or 
parties) and exists on the cloud 
provider's premises. 


Community: A cloud infrastruc- 
ture that is used exclusively by a 
specific group of organizations. 


Private: A cloud infrastructure 
that is used exclusively by a 
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single organization. It may be 
owned, managed, and operated 
by the organization or a third 
party (or a combination of both), 
and may exist on or off premises. 


Hybrid: A cloud infrastructure 
that is composed of two or 
more of the aforementioned 


deployment models, bound 
together by standardized or pro- 
prietary technology that enables 
data and application portability 
(for example, failover to a sec- 
ondary data center for disaster 
recovery or content delivery net- 
works across multiple clouds). 


g 





According to a recent Palo Alto Networks Security Lifecycle 
Review (SLR) report, the top SaaS applications by data 
movement are Box (600GB), Salesforce (596GB), SharePoint 
(425GB), and Google Drive (350GB). 


According to Palo Alto Networks’ 2015 Application Usage 


and Threat Report (AUTR), SaaS application usage increased 


46 percent (from 218 to 316 unique applications) between 
2012 and 2015 in organizations participating in the research 


(see Figure 1-1). 





Figure 1-1: Unique SaaS applications in use. 


The overwhelming majority of these SaaS application consisted 


of file storage (40.7) applications (see Figure 1-2). 


SaaS adoption by organizations will continue to grow as more 
organizations define and implement cloud computing strate- 


gies to leverage the benefits of cloud computing models. 


These benefits include 
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Figure 1-2: Usage of top 25 SaaS-based applications. 
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Greater business agility and responsiveness: Applications 
and data can be accessed in the cloud from anywhere, at 
any time, on any device. 


Faster time-to-market: New products and services can be 
delivered rapidly in the cloud. 


On-demand scalability: Additional software licensing 
and/or infrastructure can be provisioned and deprovi- 
sioned as needed. 


Increased stability: Mature release management pro- 
cesses and highly available application infrastructures 
have built trust and confidence in the SaaS delivery 
model. 


Reduced capital investments: IT organizations are able 
to utilize private and hybrid cloud infrastructures more 
efficiently, and in many cases defer costly data center 
infrastructure upgrades. 


Lower operating expenses: Flexible SaaS licensing 
options enable organizations to purchase exactly what 
they need and potentially reduce their data center foot- 
print (and associated operating costs). 
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SaaS Benefits and Risks 


Organizations constantly struggle to carefully balance their 
end-users’ need for application usability and the extent to 
which they’re willing to accept organizational risk in order to 
achieve that level of usability. 


SaaS applications and services put renewed focus on this 
challenge, in large part because SaaS usage has become a 
normal, everyday occurrence for many working professionals. 
Using Dropbox to upload a few files or iCloud to synchronize 
pictures is a small, but important part of their everyday rou- 
tine and workflow. 


Of particular concern, much of this activity is likely unsanc- 
tioned use of unknown or uncontrolled SaaS applications. In 
most organizations that allow SaaS applications, users are 
provided access to a specific list of services the organization 
has deemed acceptable or suitable for business purposes. 
Given the large percentage of usage and the high number of 
unique SaaS applications observed, it can be concluded that 
many users are likely not following these usage policies, and 
are instead engaging in rampant use of unsanctioned SaaS 
applications. 


Such unsanctioned use further increases the risk of data leak- 
age to organizations, due to the lack of visibility from regular 
logs or notifications from the unsanctioned SaaS storage 
providers. Another risk involves the intermeshing of users’ 
personal and work documents, which may cause regula- 

tory compliance issues, and situations in which a user’s Box 
Personal account, for example, may be compromised and 
then used by the adversary to pivot an attack to the user’s 
Box Corporate account. 


Implementing draconian policies to completely prevent such 
activities can be impractical, given the widespread and often 
business-relevant usage of many of these applications and the 
inability to effectively enforce such policies with traditional 
firewalls and security technologies. Ironically, such policies 
may also be counterproductive because end-users may tend 
to feel “disconnected” in such an environment and become 
easily distracted or, worse yet, spend countless hours devising 
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inventive new ways to circumvent these policies and engag- 
ing IT security teams in a never-ending — and potentially 

risky — “cat-and-mouse” struggle. Blocking heavily used apps 
that aren’t sanctioned can cause employees to quietly revolt 
and makes them much less productive because they’re denied 
access to the tools they’re used to working with. The chainsaw 
approach doesn’t work; a scalpel is what’s needed. Adverse 
issues for the organization include the following: 


Creating a “shadow IT” subculture of back-channel or 
underground workflow processes that are critical to 
the businesses’ operations, but are known only to a few 
users and fully dependent on personal technologies and 
applications 


Introducing new risks to the entire networking and com- 
puting infrastructure, due to the presence of unknown, 
and, therefore, unaddressed and unpatched, vulnerabili- 
ties, as well as threats that target normal application and 
user behavior — whether a vulnerability exists in the 
application or not 


Being exposed to noncompliance penalties for organiza- 
tions that are subject to regulatory requirements such as 
HIPAA, FINRA, and PCI DSS 


Ideally, a multipronged strategy should be employed that 
does not blindly restrict SaaS application usage, but safely 
enables sanctioned SaaS applications with the visibility 

and control necessary to maintain an organization’s risk 
posture and the security of its data. An important element 
of such a strategy includes regular user training and aware- 
ness programs to ensure that end-users understand any 
potential security and privacy risks associated with the vari- 
ous SaaS applications and services — both sanctioned and 
unsanctioned. 


Chapter 2 


Discovering SaaS Usage 
in Your Network 


In This Chapter 
Understanding who is using SaaS and why 
Differentiating corporate and personal SaaS usage 
Recognizing the changing threat landscape 


Categorizing SaaS apps for safe enablement 


] n this chapter, you learn how to regain complete visibility 
into your network in order to find out what SaaS applica- 
tions are already being used on your network, by whom, and 
why, so that you can retake control of your network and pre- 
vent or mitigate the risks associated with SaaS applications — 
without disrupting your business. 


Who’s Using SaaS and Why? 


Over the past decade, the application landscape has changed 
dramatically. Traditional business applications are increas- 
ingly being supplemented with, or in some cases supplanted 
by, SaaS and web-based applications. This convergence of 
traditional on-premises and cloud computing infrastructures 
to deliver applications, services, and data, is being driven by 
employees (bottom-up) and organizations (top-down) alike. 


The rapid adoption of many popular SaaS and web-based 
applications is often driven by users, not by the organization. 
The ease with which they can be accessed, combined with the 
fact that today’s knowledge workers are accustomed to using 
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them, points toward a growing “shadow” IT culture in which 
individuals and departments use both sanctioned and unsanc- 
tioned applications. 


SaaS adoption by individual users can be largely attributed to 
several popular and important trends: 


 Consumerization 
Cloud computing 
¥ Mobile computing 


The process of consumerization occurs as users increasingly 
find personal technology and applications that are more pow- 
erful or capable, more convenient, less expensive, quicker to 
install, and easier to use, than more traditional IT solutions 
that are provided by the organization. These user-centric 
applications and technologies enable individuals to improve 
their personal efficiency, handle their nonwork affairs, and 
maintain online personas, among other things. 


Catering to this demand, technology vendors and developers 
enjoy vast economies of scale and the pervasive benefits of 
viral marketing. Selling small quantities to literally hundreds 
of millions of individual users, rather than large quantities to 
relatively fewer organizations means 


Shorter buying cycles: A purchase is a personal choice 
rather than a management decision. 


Focusing on functionality and ease of use, rather than 
standards and interoperability. 


Constantly and rapidly improving products, based on 
large-scale and virtually instantaneous user feedback. 


The evolution and growth of low-cost cloud computing infra- 
structure has further contributed to the rise of SaaS adoption, 
making cloud-based business and personal applications read- 
ily available to users from IT location — without the need for 
IT assistance or intervention. 


Finally, mobile computing continues to drive the individual 
user’s insatiable appetite for on-demand access to applica- 
tions and data from anywhere, at any time, on any device. 
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Today, there are more than 2.6 billion smartphone subscrip- 
tions worldwide. According to the June 2015 Ericsson Mobility 
Report, total mobile monthly data traffic (including audio, file 
sharing, social networking, software uploads and downloads, 
video, web browsing, and other sources) in the first quarter of 
2015 was approximately 3,500 petabytes! 


Personal and Corporate Apps 


NING, 
RY 


The rapid adoption of SaaS applications by employees and 
organizations results in a wide variety of application types in 
use today. Here are some examples of these applications: 


Collaboration and cloud storage tools such as Box, 
Dropbox, Google Drive, iCloud, and Microsoft Office 
365/OneDrive 


i“ Web-based email such as Gmail, Outlook.com, and 
Yahoo! Mail 


Content management tools such as SharePoint 


Customer relationship management (CRM) portals such 
as Salesforce and SugarCRM 


The use of anonymizers and proxies on any network should 
be considered risky and suspect. 


Remote access tools can be both good and bad. They’re valu- 
able productivity tools for IT administrators and support 
technicians, but they’re also “threat-rich” applications that 
often employ weak security safeguards and authentication 
mechanisms that are prone to exploit by attackers. 


To appreciate how rapidly these applications, both sanctioned 
and unsanctioned, have proliferated the corporate network, 
consider that the Palo Alto Networks Spring 2015 Application 
Usage and Threat Report found that SaaS-based application 
usage increased 46 percent on customer networks between 
2012 and 2015. Cloud-based storage accounted for the over- 
whelming majority of these applications at 40.7 percent. With 
unknown malware threats and exploits infecting documents, 
spreadsheets, and other file types, and the inherent risk of 
data leakage due to sensitive data potentially being uploaded 
to cloud-based storage, the risks to organizations cannot be 
ignored. 
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Defining the Application 
and Threat Landscape 


Network security used to be relatively simple. Everything was 
more or less black and white — either clearly bad or clearly 
good. Work applications constituted good traffic that should 
be allowed, while pretty much everything else constituted 
bad traffic that should be blocked. Furthermore, work appli- 
cations were hosted inside the organization’s data center on 
a “trusted” network segment, and a firewall was deployed at 
the network perimeter to enforce those “allow” or “block” 
decisions. 


Today, applications have become 


Increasingly “gray” — classifying types of applications as 
good or bad is not a straightforward exercise. 


¥ Impossible to accurately identify based on traditional 
port and protocol assignments only. 


The predominant vector for today’s cybercriminals and 
threat developers who use applications as unwitting car- 
riers of malicious payloads. 


Applications: “Vm not a number!” 


Although distinguishing one type of application from the next 
sounds simple, it really isn’t — for a number of reasons. 

In order to maximize their accessibility and use, many 
applications — particularly SaaS-based applications that 
aren’t hosted on-premises and must therefore easily commu- 
nicate through corporate firewalls — are designed from the 
outset to use standard ports, such as TCP ports 80 (HTTP) 
and 443 (HTTPS), that are commonly allowed through legacy 
port-based firewalls that see applications as little more than 
a number. You’ve heard the expression, “If all you have is a 
hammer, everything looks like a nail,” right? Well, to a port- 
based firewall, increasingly, every application looks like HTTP 
or HTTPS! 


NING, 
RY 
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Other applications use a variety of techniques to facilitate 
ease of use. Common techniques include the following: 


Port hopping, where ports/protocols are randomly 
shifted over the course of a session 


Use of nonstandard ports, such as running Yahoo! 
Messenger over TCP port 80 (HTTP) instead of the stan- 
dard TCP port for Yahoo! Messenger (5050) 


Tunneling within commonly used services, such as 
when peer-to-peer (P2P) file sharing or an instant mes- 
senger (IM) client is running over HTTP 


Hiding within SSL encryption, which masks the applica- 
tion traffic, for example, over TCP port 443 (HTTPS) 


These techniques are also used by attackers for malicious 
purposes to evade detection by port-based firewalls. 


At the same time, enterprise users are increasingly embrac- 
ing SaaS and web-based applications and services such as 
Salesforce.com, WebEx, and Google Apps — which often initi- 
ate in a browser but then switch to more client-server-like 
behavior (rich client, proprietary transactions, and others). 


The result of the shift to SaaS and web-based applications is 
that HTTP and HTTPS now account for approximately two- 
thirds of all organizational traffic. This is not a problem, per se, 
but it does exacerbate an inherent weakness of traditional secu- 
rity infrastructure. Specifically, the wide variety of higher-order 
applications riding on top of HTTP and HTTPS — whether or 
not they actually serve a legitimate business purpose — are 
practically indistinguishable for older port-based firewalls. The 
negative impact of organizations further losing control over 
their network communications is clear and underlines the fact 
that the application landscape has evolved dramatically. 


Threats are hiding in plain sight 


The increasing prevalence of application-layer attacks is yet 
another disturbing trend. Email and web browsers are still 
the main attack vectors today, with malicious content either 
attached or downloaded as an executable or macro-based file. 
SaaS-based cloud storage services, such as Box and Google 
Drive (among others), are beyond the reach of many enter- 
prise anti-malware solutions until a file is downloaded to the 
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corporate network. Files stored in the cloud may be infected 
with malware or exploits that go undetected — particularly 

if the file is downloaded to a mobile device or personal USB 
thumb drive outside the corporate network without being 
properly scanned by an anti-malware solution. The malicious 
use of remote access applications is another significant attack 
vector. Threats that directly target applications can pass 
right through the majority of enterprise defenses, which have 
historically been built to provide network-layer protection. 
Threat developers exploit the same methods (described in 
the previous section) to infiltrate networks that application 
developers use to promote ease of use and widespread adop- 
tion, such as tunneling within applications. 


The evasion techniques built into these and many other 
modern applications are being leveraged to provide threats 
with “free passage” into enterprise networks. So, it’s no 
surprise that more than 80 percent of all new malware and 
intrusion attempts are exploiting weaknesses in applica- 

tions, as opposed to weaknesses in networking components 
and services. With the implicit trust that users place in their 
applications — particularly those SaaS-based applications 
that they themselves have found, downloaded, installed, and 
used for both personal and work-related purposes — a perfect 
storm has been created. The motivation for cybercriminals 
has also shifted — from gaining notoriety to political activism, 
espionage, and making money. The name of the game today is 
information theft. Consequently, it’s no longer in a cybercrimi- 
nal’s best interests to devise threats that are “noisy” or that 
are relatively benign. To be successful, a thief must be fast or 
stealthy — or both. 


For cybercriminals who favor speed over sophistication — 
speed of initial threat generation, speed of modification, and 
speed of propagation — the goal is to develop, launch, and 
quickly spread new threats immediately on the heels of the 
disclosure of a new vulnerability. The resulting zero-day and 
near-zero-day exploits then have an increased likelihood of 
success because reactive countermeasures, such as patching 
and those tools that rely on threat signatures (such as anti- 
virus software and intrusion prevention), are unable to keep 
up — at least during the early phases of a new attack. Worse 
yet, SaaS-based applications and data that aren’t routinely 
scanned are particularly vulnerable — not only to zero-day 
and near-zero-day exploits, but also to older exploits that like- 
wise go unscanned and therefore undetected. 
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The (re)rise of macro malware 


In 1995, the first macro-based mal- 
ware, WM/Concept, was unleashed 
upon the public and began the initial 
wave of macro-based malware tar- 
geting Microsoft Word and Excel. 
Twenty years later, cybercriminals 
have rediscovered macro-based 
malware and are once again using it 
as another tool in their arsenal. 


What is a macro? 


Macros were originally developed 
for the Microsoft Office suite as a 
way to automate repetitive tasks or 
share tasks among different users. 
The system was designed so that a 
user could use a simple feature to 
record a repetitive task, which would 
then automatically be transcribed 
into Visual Basic for Applications 
(VBA). The macro automated the 
task, and the VBA code could then 
be shared with other users. 


Unfortunately, macros were not 
designed with security in mind; 
functionality was the main goal, and 
macros allowed users to be more 
productive by speeding up repeti- 
tive tasks. Although the intentions 
of macros in Microsoft Office docu- 
ments were altruistic, the unfortu- 
nate side effect was the creation of 
an easy-to-use and effective vehicle 
for malicious code. 


The most famous and well-known 
macro-based malware was the 
Melissa virus in 1999. It was dis- 
tributed within a Word document 
that would gather the first 50 entries 


from a user's address book and then 
mail a copy of the macro-infected 
Word document to each entry via 
Microsoft Outlook. When the recipi- 
ents opened the document, the 
cycle would continue ad nauseam. 
Due to the overwhelming number of 
infected systems attempting to send 
out emails, the Melissa virus placed 
many major email servers into a 
denial-of-service state. 


Where are we now? 


In response to the Melissa virus and 
other macro malware, Microsoft 
put multiple mitigations in place to 
prevent the spread of macro-based 
malware. In Office 2003, only digi- 
tally signed macros could be run by 
default. In Office 2007, the letter m 
was appended to the usual Office 
file extensions (.docxm, .xlsxm, 
.pptxm) to signify that the file 
contained a macro. Finally, in Office 
2013, macros were simply turned off 
by default, showing users a notifi- 
cation if a macro was embedded 
in the document they had opened. 
The actions taken by Microsoft sig- 
nificantly reduced macro-based mal- 
ware infections and, in turn, reduced 
the popularity of macro-based mal- 
ware usage by cybercriminals. 


No good deed goes unpunished, 
however. In the last decade, a new 
generation of users who have never 
used macros or are even aware of 
what they are due to the dormancy 
of macros in general has emerged. 
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Users have a tendency to have a 
singular goal in mind, which is to 
accomplish the given task at hand. 
This causes them to ignore warn- 
ings or pop-up messages indicating 
potential danger because, to them, 
these buttons and dialog boxes are 
simple barriers to their productivity. 
The lack of awareness and a focus 
on getting to the user's desired 
content or task has led to a sudden 
resurgence in the usage of macro- 
based malware as users unwittingly 
enable macros in Office documents 
more and more often. 


The two most observed malware 
families delivered via macro abuse 
are the Dridex and Dyre malware 
families. More than 10 percent of 
all malicious activity identified in 
the Palo Alto Networks Spring 2015 
Application Usage and Threat Report 
involved these two malware families: 


 Dridex: Dridex is a banking Trojan 
descended from the GameOver 
Zeus family of malware. Its func- 
tions are extremely similar to 
the well-known GameOver Zeus 
variants such as Cridex, target- 
ing online banking credentials 
and containing configurations 
to mimic logins for financial 
institutions. Dridex differs from 
its malware relatives, however, 
in the fact that it utilizes macro- 
embedded Office documents to 
load itself onto potential victim 
hosts, where it then begins 
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(continued) 


harvesting banking credentials. 
Well over 99 percent of Dridex 
sessions were delivered over 
various email protocols or web 
browsing. 


 Dyre/Upatre: Upatre is the 
name of the malware down- 
loader, generally delivered via 
a macro-based malware Office 
document, which then retrieves 
Dyre (Dyreza), a banking Trojan 
similar in function to GameOver 
Zeus and its variants. In addi- 
tion, Upatre utilizes the Microsoft 
Outlook email client to send itself 
out to additional victims, effec- 
tively worming Its way across the 
Internet. As with Dridex, more 
than 99 percent of these ses- 
sions were over various email 
protocols or web browsing. 


What does this mean? 


Although extremely numerous and 
popular at this time, both Dridex and 
Dyre/Upatre are fairly easy to pre- 
vent, due to the usage of simple deliv- 
ery mechanisms, such as an email 
attachment or link to a malicious file. 
Still, examining the sheer volume of 
macro-based malware demonstrates 
that macro-based malware is a real 
threat to organizations. Specific user 
education is called for on macros — 
explaining what they are, what they 
do, and what users need to be aware 
of to prevent macro-based malware 
attacks from succeeding. 
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This speed-based approach is facilitated in large part by the 
widespread availability of threat development websites, tool- 
kits, and frameworks. Unfortunately, another by-product 

of these resources is the ability to easily and rapidly convert 
“known” threats into “unknown” threats — at least from the 
perspective of signature-based countermeasures. This trans- 
formation can be accomplished either by making a minor 
tweak to the code of a threat, or by adding entirely new 
propagation and exploit mechanisms, thereby creating what 
is commonly referred to as a blended threat. 


Categorizing SaaS Applications 


To safely enable applications and protect their data, organi- 
zations must be able to accurately identify, categorize, and 
control the applications, including SaaS and web-based appli- 
cations, in use on their network. 


The challenge for organizations today is not only the growing 
diversity of the applications, but also the inability to clearly 
and consistently classify them as good or bad. Although many 
are clearly good (low risk, high reward), and others are clearly 
bad (high risk, low reward), most are somewhere in between. 
Moreover, the end of the spectrum that these applications fall 
on can vary from one scenario to the next and from user to user 
or from session to session. Applications can be categorized as 


Sanctioned: Applications that the organization has 
approved for use and are provided by IT. These apps 
typically are delivered through a corporate SSO. 


 Unsanctioned: Applications, including unknown applica- 
tions that need to be assessed by the organization, that 
are not approved for use. 


 Unsanctioned but tolerated: Applications that are unap- 
proved by IT but not blocked. Their access is strictly 
controlled by user group or function to reduce their 
exposure or as a means to migrate users away from the 
application. These applications may be allowed only until 
the users are migrated to a sanctioned application, for 
example, since simply cutting off access to these applica- 
tions would cause them to lose access to their data and 
would prevent them from migrating it to a sanctioned 
application. 
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To restore full visibility and a positive control model to the 
firewall, next-generation firewalls fix the problem at its core. 
Starting with a blank slate, next-generation firewalls classify 
traffic by an application’s identity in order to enable visibility 
and control of all types of applications — including SaaS, web- 
based, client-server, and custom applications — running on 
an organization’s network. The essential functional require- 
ments for an effective next-generation firewall include the 
ability to 


Identify applications regardless of port, protocol, evasive 
techniques, or SSL encryption before doing anything else 


¥ Provide visibility of and granular, policy-based control 
over applications, including individual application 
functions 


Accurately identify users and subsequently use identity 
information as an attribute for policy control 


Provide real-time protection against a wide array of 
threats, including those operating at the application layer 


Integrate, not just combine, traditional firewall and net- 
work intrusion prevention capabilities 


Support in-line deployments with negligible performance 
degradation 


Typical capabilities of traditional firewalls include packet 
filtering, network-address translation (NAT), port-address 
translation (PAT), stateful inspection, and virtual private net- 
work (VPN) support. Typical intrusion prevention capabili- 
ties include vulnerability- and threat-facing signatures and 
heuristics. 


The key to next-generation firewalls is the ability to do every- 
thing a traditional firewall does with the advanced capabili- 
ties that combine innovative identification technologies, high 
performance, and additional foundational features to yield an 
enterprise-class solution. 
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Whatever happened to the firewall? 


Have you noticed that nobody gets 
excited about firewalls anymore? 
There was a time when the firewall 
was the single most important secu- 
rity device in your network. So, what 
happened? 


The answer is a bit of a cliché: The 
Internet has changed everything! 
Years ago, most firewalls did a pretty 
good job of controlling traffic in and 
out of networks. That's because 
application traffic was generally well 
behaved. Email would typically flow 
through port 25, FTP was assigned 
to port 20, and HTTP used port 80. 
Everybody played by the rules — 
“ports + protocols = applications” — 
and the firewall had everything 
under control. Blocking a port meant 
blocking an application. Nice and 
simple. 


Unfortunately, the Internet has never 
really been nice and simple. And 
that's truer today than ever before. 
There are many new Internet appli- 
cations that insist on making their 
own rules. They wrap themselves in 
other protocols, sneak through ports 
that don’t belong to them, and bury 
themselves inside SSL tunnels. In 
short, they just don’t play fair. 


All these applications carry some 
inherent risk to your business. And 


they play host to clever new threats 
that can slip through your firewall 
undetected. Meanwhile, your fire- 
wall just sits there like nothing is 
wrong because it’s still playing by 
rules that don’t exist anymore! 


Because they're deployed in-line at 
network perimeters, firewalls see all 
traffic and, therefore, are the ideal 
resource to provide granular access 
control. The problem, however, is 
that most firewalls are “far-sighted.” 
They can see the general shape of 
things, but not the finer details of 
what's actually happening. This is 
because they operate by inferring 
the application-layer service that 
a given stream of traffic is associ- 
ated with, based on the port number 
used in the packet's header, and they 
only look at the first packet in a ses- 
sion to determine the type of traffic 
being processed, typically to improve 
performance. 


Legacy port-based firewalls rely on a 
convention — not a requirement — 
that a given port corresponds to a 
given service (for example, TCP port 
80 corresponds to HTTP). As such, 
they're also incapable of distinguish- 
ing between different applications 
that use the same port/service (see 
the following figure). 


(continued) 
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Microsoft Office 365 


Skype 


Salesforce 


YouTube 


Gmail 


Google Apps 


The net result is that traditional, 
port-based firewalls have basically 
gone blind. Besides being unable to 
account for common evasion tech- 
niques such as port hopping, protocol 
tunneling, and the use of nonstan- 
dard ports, these firewalls simply 
lack the visibility and intelligence to 
discern which network traffic 


Corresponds to applications that 
serve a legitimate purpose 


Corresponds to applications that 
can serve a legitimate purpose 
but, in a given instance, are being 
used for unsanctioned activities 


Should be blocked because 
it contains malware or other 


web browser 


Facebook 





Tor 
Zoho 


GoToMyPC 
Oracle CRM 


threats, even though it corre- 
sponds to legitimate activities 


On top of everything else, their con- 
trol model is typically too coarse- 
grained. Said firewalls can either 
block or allow traffic, but offer little 
variation in between to craft a more 
appropriate response for all the 
“gray” applications that organiza- 
tions typically must support — for 
example, by allowing certain func- 
tions or file transfers within an appli- 
cation but not others, allowing but 
also applying traffic-shaping policies, 
allowing but scanning for threats or 
confidential data, or allowing based 
on users, groups, or time of day. 
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Application identification 


Establishing port and protocol is a first step in application 
identification but, by itself, it’s insufficient. Robust applica- 
tion identification and inspection enables granular control of 
the flow of sessions through a firewall based on the specific 
applications that are being used, instead of just relying on the 
underlying set of often indistinguishable network communica- 
tion services (see Figure 2-1). 


SMTP 


Box Salesforce 
Gmail GoToMyPC 
LL WhatsApp 






Application-centric 
Traffic Classification 


Figure 2-1: Application-centric traffic classification identifies specific 
applications flowing across the network, irrespective of the port 
and protocol in use. 


Of course, in many organizations applications are identified, 
and firewall policies are created, when they’re first installed 

in a data center or detected on user endpoints with configura- 
tion management software. Traditional port-based firewalls 
simply don’t provide enough information about the traffic that 
passes through them to accurately identify applications on 
the network. But SaaS-based applications don’t get installed 
by IT in your data center, or even by users on their corporate 
endpoints. Instead, SaaS-based applications are commonly run 
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in web browsers or on apps that are installed on the users’ 
personal mobile devices. Thus, the challenge of application 
identification in a hybrid environment with on-premises 
and cloud-based SaaS applications — both sanctioned and 
unsanctioned — becomes increasingly insurmountable. 


Positive application identification is the traffic classification 
engine at the heart of next-generation firewalls. It requires a 
multifaceted approach to determine the identity of applica- 
tions on the network, regardless of port, protocol, encryp- 
tion, or evasive tactics. Application identification techniques 
used in next-generation firewalls (see Figure 2-2) include 


Application protocol detection and decryption: 
Determines the application protocol (for example, HTTP) 
and, if SSL is in use, decrypts the traffic so that it can be 
analyzed further. Traffic is re-encrypted after all the next- 
generation firewall technologies have had an opportunity 
to operate. 


Application protocol decoding: Determines whether the 
initially detected application protocol is the “real one,” 
or if it’s being used as a tunnel to hide the actual applica- 
tion (for example, Tor might be inside HTTPS). 


Application signatures: Context-based signatures look 
for unique properties and transaction characteristics to 
correctly identify the application regardless of the port 
and protocol being used. This includes the ability to 
detect specific functions within applications (such as file 
transfers within SaaS applications). 


Heuristics: For traffic that eludes identification by sig- 
nature analysis, heuristic (or behavioral) analyses are 
applied — enabling identification of any troublesome 
applications, such as P2P or VoIP tools that use propri- 
etary encryption. 


Having the technology to accurately identify applications is 
important, but understanding the security implications of an 
application so that an informed policy decision can be made 
is equally important. Look for a next-generation firewall solu- 
tion that includes information about each application, and its 
behaviors and risks, to provide IT administrators with applica- 
tion knowledge such as known vulnerabilities, ability to evade 
detection, file transfer capabilities, bandwidth consumption, 
malware transmission, and potential for misuse. 
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Protocol Protocol Signature 
Detection/ Decoding 
Decryption 


Figure 2-2: Next-generation firewall techniques used to identify appli- 
cations regardless of port, protocol, evasive tactic, or SSL 
encryption. 


User identification 


User identification technology links IP addresses to specific 
user identities, enabling visibility and control of network 
activity on a per-user basis. Tight integration with LDAP 
directories, such as Microsoft Active Directory (AD), supports 
this objective in two ways: 


It regularly verifies and maintains the user—-to-IP address 
relationship using a combination of login monitoring, 
end-station polling, and captive portal techniques. 


“ It communicates with AD to harvest relevant user infor- 
mation, such as role and group assignments. 
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These details are then available to 


Gain visibility into who specifically is responsible for all 
application, content, and threat traffic on the network 


Enable the use of identity as a variable within access 
control policies 


Facilitate troubleshooting/incident response and 
reporting 


With user identification, IT departments get another powerful 
mechanism to help control the use of applications in an intel- 
ligent manner. For example, a SaaS-based application that may 
be sanctioned for users in the marketing department, may 

be blocked for other users throughout the organization (see 
Figure 2-3). 





Paul Nancy 
Engineering Marketing 
Steve Finance 
Finance Group 
Login Role 
Monitoring Discovery 


User Identification 


End Station Captive 
Polling Portal 


Figure 2-3: User identification integrates enterprise directories for user- 
based policies, reporting, and forensics. 


Chapter 2: Discovering SaaS Usage in Your Network 29 


Content identification 


Content identification infuses next-generation firewalls with 
capabilities previously unheard of in enterprise firewalls, such 
as real-time prevention of threats within permitted traffic, 
control of web and cloud activity, and file and data filtering: 


Threat prevention: This component prevents malware 
and exploits from penetrating the network, regardless of 
whether the application is on-premises or SaaS-based. 


e Application decoder: Preprocesses data streams and 
inspects it for specific threat identifiers. 


¢ Stream-based malware scanning: Scanning traffic as 
soon as the first packets of a file are received — 
as opposed to waiting until the entire file is in 
memory — maximizes throughput and minimizes 
latency. 


Uniform threat signature format: Performance is 
enhanced by avoiding the need to use separate 
scanning engines for each type of threat. Viruses, 
command-and-control (C&C) communications, 
and vulnerability exploits can all be detected ina 
single pass. 


Vulnerability attack protection: Robust routines 

for traffic normalization and defragmentation are 
joined by protocol-anomaly, behavior-anomaly, and 
heuristic detection mechanisms to provide pro- 
tection from the widest range of both known and 
unknown threats. 


e Leveraging cloud-based intelligence: For content that 
is unknown, the ability to send to a cloud-based 
security service for rapid analysis and a “verdict” 
that the firewall can then use. 


/ URL filtering: Although not required, URL filtering is 
another tool sometimes used to classify content. An inte- 
grated, on-box URL database allows administrators to 
monitor and control web surfing activities of employees 
and guest users. Employed in conjunction with user iden- 
tification, web and cloud usage policies can even be set 
on a per-user basis, further safeguarding the enterprise 
from an array of legal-, regulatory-, and productivity- 
related risks. 
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File and data filtering: Taking advantage of in-depth 
application inspection and file and data filtering enables 
enforcement of policies that reduce the risk of unau- 
thorized information transfer or malware propagation. 
Capabilities include the ability to block files by their 
actual type (not based on just their extension), and the 
ability to control the transfer of sensitive data patterns 
such as credit card numbers. This complements the gran- 
ularity of application identification, which for many appli- 
cations offers the ability to control file transfer within an 
individual application. 


With content identification, IT departments gain the ability to 
stop threats, reduce inappropriate use of the Internet, identify 
and control sanctioned and unsanctioned SaaS usage, and 
help prevent data leaks — all without having to invest ina 
pile of additional products that cause appliance sprawl that 
still don’t work well because of their lack of integration (see 


Figure 2-4). 
DATA THREATS URLS 
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Figure 2-4: Content identification unifies content scanning for threats, 
confidential data, and URL filtering. 
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Policy control 


Identifying the applications in use (application identification), 
who is using them (user identification), and what they’re 
using them for (content identification) is an important first 
step in learning about the traffic traversing the network. 
Learning what the application does, the ports it uses, its 
underlying technology, and its behavior is the next step 
toward making an informed decision about how to treat the 
application. 


When a complete picture of usage is gained, organizations can 
apply policies with a range of responses that are more fine- 
grained and appropriate than simply “allow” or “deny” — the 
only options available in traditional port-based firewalls. This 
is made possible by the combination of application, user, and 
content identification, and the positive security model of next- 
generation firewalls. 


Traditional port-based firewalls have the security model, but 
lack the intelligence. Other security devices might have some 
of the intelligence, but not the security model. Examples of 
policy control options in next-generation firewalls include 

Allow or deny 

Allow but scan for exploits, viruses, and other threats 

¥ Allow based on schedule, users, or groups 

Decrypt and inspect 

Apply traffic shaping through QoS 

Apply policy-based forwarding 

Allow certain application functions 

Allow (or prevent) certain types of file transfer 

Any combination of the aforementioned 
Because a positive control model, by definition, requires 
that organizations explicitly define the applications that are 
allowed on the network and blocks everything else, complete 
visibility and accurate identification is critical — particularly 


with SaaS-based applications that aren’t as easily identified as 
on-premises applications with traditional firewalls. 
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High-performance architecture 


Having a comprehensive suite of application awareness and 
content inspection capabilities is of little value if IT administra- 
tors are unable to fully engage them due to performance con- 
straints. So, it’s important to select a next-generation firewall 
that is designed from the start to deliver high performance. 


The issue is not just that these capabilities are inherently 
resource intensive. There’s also the tremendous traffic 
volume confronting today’s security infrastructure, not to 
mention the latency sensitivity of many applications. Rated 
throughput and reasonable latency should be sustainable 
under heavy loads, even when all application and threat 
inspection features are engaged simultaneously — which is 
the ideal configuration from a security perspective. 


SaaS-based applications in particular are typically adopted 

by users because they’re fast and easy to use. Many of these 
applications are built for use on mobile devices, where speed 
is even more critical to users. Thus, a traditional firewall — or 
any other security product, for that matter — that introduces 
delays or latency will simply drive users to use a different 
SaaS-based application or find a new way to circumvent the 
organization’s security controls. 


For traditional security products, especially those with 
bolted-on capabilities, each high-level security function is 
performed independently. This multipass approach requires 
low-level packet processing routines to be repeated numerous 
times. System resources are used inefficiently, and significant 
latency is introduced (see Figure 2-5). 


In contrast, a next-generation firewall that uses a single-pass 
architecture eliminates repetitive handling of packets, reduc- 
ing the burden placed on hardware and minimizing latency. 
Separate data and control planes help provide an enterprise- 
class solution (see Figure 2-6). 


Next-generation firewalls produce numerous benefits over 
traditional network security infrastructures and solutions. 
These include 
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Figure 2-5: Legacy multipass architectures. 


Visibility and control: The enhanced visibility and 
control provided by next-generation firewalls enable 
enterprises to focus on business-relevant elements such 
as applications, users, and content for policy controls, 
instead of having to rely on nebulous and misleading attri- 
butes like ports and protocols, and to better and more 
thoroughly manage risks and achieve compliance, while 
providing threat prevention for allowed applications. 


“ Safe enablement: Achieve comprehensive coverage — 
by providing a consistent set of protection and enable- 
ment capabilities for all users, regardless of their 
location. 
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Figure 2-6: Single-pass parallel processing architecture and separate 
control and data planes. 


Simplification: Reduce complexity of the network secu- 
rity and its administration by obviating the need for 
numerous stand-alone products. This consolidation 
reduces hard capital costs, as well as ongoing “hard” 
operational expenses (such as support, maintenance, 
and software subscriptions, power, and heating, ventila- 
tion, and air-conditioning [HVAC]) and “soft” operational 
expenses (such as training and management). 


IT and business alignment: Enable IT to confidently say 
“yes” to the applications (whether on-premises or SaaS- 
based) needed to best support the business — by giving 
them the ability to identify and granularly control appli- 
cations while protecting against a broad array of threats. 
This includes the ability for IT to add security rules “in 
stages” — actively investigating traffic that is unknown 
(based on advanced visibility) and then adding security 
rules as appropriate. 


Chapter 3 
Controlling SaaS Usage 


In This Chapter 
Implementing smart policies and controls 


Enforcing appropriate controls at the employee, desktop, and net- 
work levels 


] his chapter explores SaaS usage policies, including 
employee, desktop, and network controls to help you 
control SaaS usage in your environment. 


Usage Policies 


Technical solutions are too often implemented without con- 
sidering the implications for an organization’s overall secu- 
rity strategy. To avoid this mistake, it’s important to ensure 
that your policies are up to date and the technology solu- 
tions you’re considering support a comprehensive security 
strategy. 


Safe enablement is first and foremost about education and 
knowledge of applications, behavior, risks, and users. In the 
case of SaaS and web applications, your users have long since 
decided on the benefits, although there are opportunities to 
help them choose the best application for their needs and 
inform them of any potential security risks. 


For governance to be effective, IT needs to take a major role 
in the definition of smart business policies. But it’s critical for 
IT not to be the sole owner of these policies, because their 
effectiveness and relevance are inversely proportional to the 
amount of classic IT thinking. IT security teams often think 

in two-dimensional terms — an application is either black 
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or white, good or bad, allowed or blocked (see Chapter 2). 
However, different use cases may drive different policies that 
are necessary to continue functioning efficiently — without 
unduly putting the organization at risk. 


Sanctioned corporate apps, such as a Box Corporate account 
or Salesforce may be allowed without restrictions. Dangerous 
applications, such as SaaS apps known to be regularly 
infected with malware, hosted in dangerous geographic 
regions with poor security and governance controls, or with 
bad end-user license agreements (EULAs) and service-level 
agreements (SLAs), should be blocked outright. But there are 
also a number of SaaS applications that aren’t sanctioned, but 
also aren’t necessarily dangerous — and are essential to the 
business. For example, an organization with a Box Corporate 
account may block its users from uploading files to a Box 
Personal account. However, certain users — such as legal 
and marketing — may be allowed access to download files 
from a Box Personal account because their clients and consul- 
tants routinely share files with them through their own Box 
Personal accounts. 


Governance and its management counterpart work best if 
they’re based on a set of smart organizational policies that 
are developed by the four major stakeholders in the appli- 
cation landscape — IT, HR, executive management, and 

the users. Clearly, IT has a role to play, but it can’t be the 
strictly defined role that it so often plays, nor can it be lax 
about its role as the enabler and manager of applications and 
technology. 


If application controls are going to be implemented and 
enforced, they should be part of the overarching organiza- 
tional security policy. As part of the process of implementing 
an application control policy, IT should make a concerted 
effort to learn about all applications that are being used in 
the organization, including SaaS and web-based applications 
using the visibility provided by their next-generation firewalls 
(discussed in Chapter 2). This includes embracing them for all 
their intended purposes and, if needed, proactively installing 
them or enabling them in a lab environment to see how they 
act. Peer discussions, message boards, blogs, and developer 
communities are valuable sources of information. 
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Employee Controls 


Most organizations have some type of application usage 
policy, outlining which applications are allowed and which 
are prohibited. Increasingly, such policies must also address 
SaaS usage. 


Every employee is expected to understand the contents of 
this policy and the ramifications of not complying with it, 
but there are often unanswered questions that need to be 
addressed in the policy, including the following: 


Given the increasing number of “gray” applications that 
can potentially be used or misused for business pur- 
poses, how will an employee know which applications 
and uses are allowed and which are prohibited? 


How is the list of unapproved or unsanctioned applica- 
tions updated and communicated to employees? 


Documented employee policies need to be a key piece of 

the application control puzzle, but employee controls as a 
stand-alone mechanism are largely ineffective for the safe 
enablement of applications. Security technologies, such as 
next-generation firewalls, are necessary to enforce these poli- 
cies. A next-generation firewall enables the organization to 
maintain complete visibility of the network and accurately 
identify applications and users on the network. The next- 
generation firewall can then be configured at a highly granular 
level to enforce rules that are consistent with the organiza- 
tion’s policies. 


Desktop Controls 


Desktop controls (“locking down” the desktop to keep users 
from installing their own applications) present IT depart- 
ments with significant challenges. Careful consideration 
should be applied to the granularity of the desktop controls 
and the impact on employee productivity. 
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Desktop controls can complement documented employee 
policies as a means to safely enable applications and are a key 
piece to the safe enablement of applications in the enterprise, 
but if used alone, will be ineffective for several reasons: 


% SaaS-based applications often run in a browser window 
and don’t require any desktop software to be installed. 


Laptops connecting remotely, Internet downloads, USB 
drives, and email are all means of installing applications 
that may or may not be sanctioned. 


Removing administrative rights completely has proven to 
be difficult to implement and, in some cases, limits end- 
user capabilities. 


USB drives are now capable of running applications, so 
an application can, in effect, be accessed after the net- 
work admission is granted. 


In addition to traditional desktop controls, next-generation 
firewalls should be used to identify and control application 
usage, including sanctioned and unsanctioned SaaS, on the 
network. 


Network Controls 


At the network level, what’s needed is a means to accurately 
identify all applications and block or control them. By imple- 
menting network level controls, IT is able to minimize the pos- 
sibility of threats and disruptions stemming from the use of 
applications. 


Various security technologies that have traditionally been 
used to enforce network level controls are largely ineffective in 
today’s complex application and threat landscape, including: 


 Stateful firewalls: Stateful firewalls have traditionally 
been used as a first line of defense at the network perim- 
eter, providing coarse filtering of traffic and segmenting 
the network into different zones. But stateful firewalls 
use protocol and port information to identify and control 
what applications and traffic gets in and out of the net- 
work. This outdated approach fails to provide complete 
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visibility and accurate identification of applications and 
users and is, therefore, ineffective. 


Intrusion prevention systems (IPSs): An IPS inspects a 
subset of network traffic and blocks known threats or 
bad applications, most commonly based on signature 
files that must be regularly updated. 


¥ Proxies: Proxies inspect a limited set of applications or 
protocols and, as such, only see a partial set of the net- 
work traffic that needs to be monitored and controlled. 
By design, proxies mimic the applications that they’re 
trying to control, so they struggle with new applications 
and updates to existing applications. Proxies often break 
applications (particularly on mobile devices) and suffer 
from high latency and reduced reliability. 


Next-Generation Firewalls 


The challenge with any of these network controls is that they 
don’t have the ability to fully understand the full context of 
SaaS usage. They rely on network functions such as ports and 
protocols to define usage. This prevents proper visibility and 
control of SaaS applications, which typically are exclusive to 
port 80 or 443, making them indistinguishable from other web 
traffic. Even more of a concern is that these applications often 
use encryption to protect the data being exchanged, making 
it even harder to determine the application or the data it’s 
exchanging. 


That’s where a next-generation firewall becomes a key compo- 
nent of enabling SaaS usage. With the ability to identify which 
applications are being used, you can create a policy that can 
specify the application itself, regardless of the port, even if it’s 
encrypted. 


Not all firewalls that claim to be next-generation firewalls 

are the same, though. Many offer a simple allow-or-block 
approach to applications without much granularity in the 
policy to determine if the applications detected is a per- 
sonal version or a corporate version, if it’s uploading data or 
downloading, and most important, whether threats are being 
exchanged from the SaaS application. 
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Without the application, user, threat, and usage context, you 
can’t define a granular policy that SaaS control requires. This 
will potentially disrupt business-critical applications by lump- 
ing them in with risky applications. This can have significant 
business impact because users may have become accustomed 
to using these applications to do their daily jobs. They may 
have already moved corporate data to them, so simply cutting 
them off may prevent migration to a sanctioned application. 


Detailed reporting of how users are currently using applica- 
tions becomes the first critical step (see Chapter 2). With 

that detail, you now have the ability to define granular policy 
control around critical business usage of SaaS, allowing you 
to block risky and unnecessary applications while controlling 
access and usage of ones that are business critical. Limiting a 
particular group to an app and only allowing them to download 
but not upload is a critical step. 


Only a true next-generation firewall can control usage with 
the context and granularity to prevent data exposure risk and 
threat insertion risk without disrupting the business or its 
users. 


Chapter 4 
Protecting Sanctioned SaaS 


In This Chapter 
Detecting malware in the cloud 
Understanding how sharing can be bad for your organization 
Stopping data theft 
Restricting SaaS access to authorized users 
Ensuring accountability in your SaaS environment 
Making sure your users understand the risks 


N ew security challenges emerge when an organization 
defines a SaaS application as sanctioned and data is 
allowed in the cloud where that application resides. 


Data in the cloud is no longer completely in the organization’s 
control, and visibility is often lost. SaaS vendors do their best 
to protect the data in their applications, but it’s ultimately not 
their responsibility. Just like any other part of the organiza- 
tion’s network and data center, it’s the responsibility of the IT 
security team to protect and control the data, regardless of its 
location. 


In this chapter, I explain how to get visibility and control of 
your sanctioned SaaS applications so that you can be confi- 
dent that your data and users are safe in the cloud! 


Preventing Threat Insertion 


Malware infection (or threat insertion) is an important step in 
the cyberattack life cycle (see the sidebar “Know thy enemy: 
Modern cyberattack strategy”) and a key to breaching a target 
organization’s network. SaaS applications can potentially be 
used as a new entry and distribution point for malware. 
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Know thy enemy: 
Modern cyberattack strategy 


Modern cyberattack strategy employs a patient, multistep, covert process 
that blends exploits, malware, and evasion in a coordinated attack. The 
cyberattack life cycle (see the following figure) is a sequence of events that 
an attacker goes through to successfully infiltrate an organization's network 
and steal data. 
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Here are the steps of the cyberattack life cycle: 
1. Reconnaissance. 


Like common criminals, cybercriminals carefully study their victims and 
plan their attacks, often using social engineering, phishing, email address 
harvesting, and other tactics to research, identify, and select targets. 
They also use various tools to scan networks (and SaaS applications) for 
vulnerabilities, services, and applications that can be exploited. 


2. Weaponization and delivery. 


Next, the attacker determines the malware payload and the method that 
will be used to deliver it. For example, data files or web pages can be 
weaponized with exploits that are used to target the victim’s vulnerable 
software and delivered via an email attachment or drive-by download. 


3. Exploitation. 


The attacker generally has two options for exploitation: social engineer- 
ing or exploits. Social engineering is a relatively simple technique used to 
lure someone into clicking a bad link or opening a malicious executable 
file, for example. Software exploits are a more sophisticated technique 
because they essentially trick the operating system, web browser, or 
other third-party software into running an attacker's code. This means the 
attacker has to craft an exploit to target specific vulnerable software on 
the endpoint. When exploitation has succeeded, an advanced malware 
payload can be installed. 
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4. Installation. 


Once a target endpoint has been infiltrated, the attacker needs to ensure 
persistence (resilience or survivability). Various types of advanced 
malware are used for this purpose, including anti-AV software, back- 
doors, bootkits, and rootkits. 


5. Command-and-control (CnC). 


Communication is the lifeblood of a successful attack. Attackers must be 
able to communicate with infected systems to enable CnC, and to extract 
stolen data from a target system or network. This communication can 
also be used by the attacker to move laterally, targeting other systems 
on the victim's network. CnC communications must be stealthy and can't 
raise any suspicion on the network. 


6. Actions on the objective. 


Attackers have many different motives for an attack, including data theft, 
destruction of critical infrastructure, hacktivism, and cyberterrorism. This 
final phase of the attack often lasts months or even years, particularly when 
the objective is data theft, as the attacker uses a low-and-slow attack 
strategy to avoid detection. 








SaaS applications are designed to be easily and securely 
accessible from anywhere, typically by using SSL/TLS encryp- 
tion. As a result, SaaS applications provide an excellent plat- 
form to distribute malware payloads, often undetected! 


Malware creators rely heavily on encryption to hide their mal- 
ware payloads from traditional port-based firewalls, as well 

as the ongoing command-and-control traffic associated with 
malware. SSL/TLS is a favorite, simply because it has become 
a default protocol for so much Internet traffic and, if Google 
has its way, all web traffic (see the sidebar “Does Google’s call 
for ‘HTTPS everywhere’ mean security nowhere?”). 


As more SaaS applications are used within an organization, it 
potentially becomes easier for an attacker to place a malware 
payload on a SaaS-based file share, for example, to be propa- 

gated throughout the organization (see Figure 4-1). 
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Figure 4-1: Malware propagation. 


The attacker can use a publicly available free account to dis- 
tribute the malware payload, or if he’s able to take control of 
a user’s endpoint within the organization with malware or by 
running an exploit, he can possibly infect the organization’s 
enterprise SaaS account. The attacker can then begin data 
exfiltration — for example, by changing the organization’s 
SaaS-based share permissions to public so that valuable or 
sensitive data can be remotely retrieved from anywhere by 
anyone, without ever crossing a perimeter firewall or other 
traditional network security solutions. 


Malicious activity in SaaS environments can be very difficult 
to detect by a traditional firewall. In this scenario, the mali- 
cious user is performing actions that seem perfectly accept- 
able to the firewall — accessing an allowed service and using 
it to share files. 
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Controlling Shaves and 
Usage in the Cloud 


End-users are often the weakest link when it comes to infor- 
mation security — and SaaS applications are no exception! 
Although well intentioned, end-users are often untrained 
and/or unaware of the potential risks associated with their 
activities — and as the old adage goes, the Information 
Superhighway is paved with good intentions. (Okay, maybe 
that’s not exactly what the old adage says.) 


Because SaaS applications are designed to be easy to use, 
which also means easy to share, it’s understandable that data 
becomes unintentionally exposed in a variety of ways. By far, 
the biggest risk in SaaS applications today is accidental data 
exposures, which are alarmingly common. It typically hap- 
pens in one of the following ways: 


Accidental sharing: A share that is meant for a particular 
person is accidently sent to the wrong person or group. 
This is common when a name auto-completes or is 
mistyped, which may be pointing to an old email address 
or the wrong name, the wrong group, or even an external 
user. 


Promiscuous sharing: A legitimate share is created by 
a user, but that user goes on to share with other people 
who shouldn't have access to it. This often ends with the 
data being publicly shared because it can go well beyond 
the control of the original owner. 


Ghost (or stale) sharing: This occurs when employees 
or vendors are no longer working with the company, or 
should no longer have access, but their shares remain. 
With no visibility or control of the shares, it’s very diffi- 
cult to track and fix these shares. Scary, right? 


Figure 4-2 illustrates promiscuous and accidental sharing. 

In the example on the left, Mary shares a file with Bill. Bill 
shares with John, who shares with three others and so on — 
promiscuous sharing. At this point, you may be wondering, 
“Who controls the data and where is it?” That’s an easy one: 
No one controls the data, and it’s everywhere! 
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In the example on the right (refer to Figure 4-2), Joe works 

in finance and needs to collaborate on a sensitive spread- 
sheet with Mark, the CFO. But as Joe begins to type M-A-R-K, 
the SaaS application’s auto-complete feature also displays 
“marketing,” which Joe accidentally selects. Or worse yet, 
Joe might instead select the “Anyone with the link” option 
because he wants to make sure all the right people have 
access to the file (and doesn’t really understand that means 
all the wrong people also have access to the file!), which 
exposes the file publicly. If the SaaS app happens to be Google 
Drive, not only is it publicly exposed, but he also just made 
that file searchable on Google. That takes promiscuous shar- 
ing to a whole new level! 


Figure 4-2 also illustrates ghost sharing, but unless you have 
the “sixth sense,” you'll just have to trust me! Or you could 
suppose that one of the three people that John shared the file 
with (in the first example) was Bruce (Willis), a consultant 
who did some work for the company last year, but no one 
bothered disabling his account after his work was completed. 
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Figure 4-2: Accidental data exposure. 


Preventing Malicious 
Data Exfiltration 


Malicious data exfiltration can happen as part of the cyberat- 
tack life cycle (see the sidebar “Know thy enemy: Modern 
cyberattack strategy”). After successfully infecting a target 
with malware or running an exploit, an attacker can move 
laterally throughout the network — and across clouds (SaaS 
applications) — harvesting valuable data. When the attacker 
is ready, he can change the file-sharing permissions to 
“public” and remotely extract the target data at will. 
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There is yet another malicious data exfiltration scenario, 
which tends to turn our stomachs and conjure up images 
of double agents in World War II spy novels: the malicious 
insider. 


The malicious insider scenario is particularly distasteful 
because it involves someone your organization already trusts 
by definition — an “insider.” Unfortunately, malicious insid- 
ers are nothing new. According to Verizon’s 2015 Data Breach 
Investigations Report (DBIR), “As with prior years, the top 
action (55 percent of incidents) was privilege abuse — which 
is the defining characteristic of the internal actor breach.” 


The DBIR goes on to say “Catching insider abuse is not easy” — 
and that’s a general statement about insider abuse, not spe- 
cifically considering the unique security challenges of SaaS 
applications! 


A malicious insider attempting to steal data that’s in the orga- 
nization’s data centers risks discovery by perimeter firewalls 
or data loss prevention (DLP) solutions — if large volumes of 
data are detected being sent to a personal email address, for 
example. 


However, SaaS application data is already outside an organi- 
zation’s data centers and beyond the purview of traditional 
perimeter firewalls and DLP solutions. Thus, a malicious 
insider might simply change the folder permissions within the 
SaaS application and download the targeted data remotely — 
just like a malicious “outsider.” 


Actively Scanning Vour 
SaaS Environment 


A firewall or proxy can only detect threats that pass through 
them. Sensitive data and inappropriate shares may exist in 
your SaaS environment well before a particular SaaS app is 
sanctioned. When the app is sanctioned, those risks will still 
exist until the app or data passes through a firewall or proxy. 
And because a SaaS app can typically be accessed from any- 
where and on any device — it may never pass through a fire- 
wall or proxy! 
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For these reasons, it’s important to implement a security solu- 
tion that will proactively scan your SaaS environment for mal- 
ware and exploits, inappropriate shares, sensitive data, and 
other security and privacy risks. 


Preventing Unauthorized Users 


Access control is a basic security requirement for any com- 
puting environment, and SaaS applications are no exception. 


Ensure that your users are properly authenticated in your 
SaaS applications, ideally with a single sign-on (SSO) solution 
that integrates with your directory service. Some organiza- 
tions may also choose to lock down access to SaaS applica- 
tions to specific domains or IP address ranges. This additional 
precaution prevents access outside the corporate network, 
but may prevent collaboration with external vendors that 
need access to the SaaS application — unless you also add 
their domains and IP address ranges. 


Also, ensure that your firewall enables a granular access 
control policy. Just because a certain SaaS application 

is sanctioned doesn’t necessarily mean that everyone in 

the organization needs access to the application. As with 
your on-premises applications, your firewall policy should 
enforce appropriate access controls for all your users and 
applications — regardless of whether they’re on premises or 
in the cloud. 


Assigning an Admin 
for Mitigation 


When you have visibility into your SaaS environment, you'll 
immediately recognize the need to assign a security adminis- 
trator to mitigate security risks as they’re identified! Just like 
the first next-generation firewall you deployed on your net- 
work, you'll be amazed — perhaps even mortified — by what 
you didn’t know that you didn’t know. 
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Ensure that your cloud security solution provides actionable 
intelligence on security risks and real-time threats in your 
SaaS environments, and prioritizes them appropriately. 


Training Users on Proper Usage 


Most SaaS users already understand the many benefits of 
their preferred SaaS applications — they use them every day 
and in some cases may have adopted them well before your 
organization did! 


However, fewer SaaS users understand the risks associated 
with various SaaS applications and behaviors. Ongoing and 
pertinent security awareness training is critical to the safe 
enablement of SaaS usage in your organization. 
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Chapter 5 


Six SaaS Security 
Challenges 


[- gain control of sanctioned and unsanctioned SaaS 
usage in your organization, a few key challenges must be 
addressed. Here’s a list of six SaaS security challenges to get 
you started! 


SaaS Usage Visibility 


ar 


SaaS applications are very hard to control the use of, or 
have visibility into, once the data has left the network 
perimeter. This presents a significant challenge with end- 
users now acting as their own IT department with control 
over the applications they use and how they use them, but 
without the expertise on data or threat risk assessment and 
prevention. 


Even skilled users with security experience can run into prob- 
lems with SaaS applications without the right tools to have 
visibility into data exposure and threat insertions that SaaS 
can introduce. 


Start by clearly defining the SaaS applications that should 

be used and which behaviors within those applications are 
allowed. This requires a clear definition of which applications 
are sanctioned (allowed) by the company and which are not 
allowed (unsanctioned) and then putting solutions in place 
to control their usage. Your organization’s users also need 
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to understand why certain applications and behaviors are 
unsanctioned, such as the following (see Figure 5-1): 


Regulatory noncompliance risks 
Loss of intellectual property and sensitive data 


4 Malware distribution 
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Figure 5-1: Impacts of sanctioned and unsanctioned SaaS. 


Visibility and Data 
Exposure Controls 


With SaaS usage defined and controlled with a granular policy, 
data will be moving to applications that the organization has 
sanctioned. When the data has reached the cloud service, it 
resides within the SaaS application and is no longer visible to 
an organization’s network perimeter. This is traditionally a 
blind spot for IT. 


Changes such as malware from third parties and improper 
sharing can still be a danger and need to be protected against. 
An additional set of controls specific to data exposure is 
needed to specially address these risks unique to SaaS. The 
focus needs to be on data protection in this environment, so 
a deep understanding of users, the data they’ve shared, and 
how they’ve shared it are key. 
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Contextual Control 
of Data Exposure 


ar 


Data in the cloud can be either structured (such as application 
data in Salesforce.com) or unstructured (such as documents 
stored on Box). Both can be a source of improper data shares. 


To properly protect data in the cloud and ensure regulatory 
compliance for sensitive data, such as cardholder data (for 
PCI DSS) and PII, you need security tools that enable you to 
define granular, context-aware policy controls with the ability 
to drive enforcement and quarantine users and data before a 
violation occurs. 


Threat Prevention 


ar 


Malware and exploit prevention are important objectives for 
network security, and it’s no different with SaaS applications. 
In fact, SaaS applications introduce new risks and threat vec- 
tors that need to be understood and controlled. 


Many SaaS applications automatically synchronize files with 
users. In addition, many people use SaaS applications to 
share data with third parties that are outside the control 

of the organization. The combination of these two common 
SaaS behaviors creates a new insertion point for malware — 
one that can potentially infect a target organization through 
external shares and automatically synchronize those infected 
files across the organization — with no user intervention 
required. 


To prevent new SaaS-based threats, you need a security solu- 
tion that protects your sanctioned SaaS applications from 
known and unknown malware threats and exploits, regardless 
of the source of the malicious file. 
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Risk Prevention, 
Not Just Response 


Unlike a traditional firewall, the threat and data exposure 
protections should not be an in-line function only looking at 
future events. Instead, they need to look back at all the previ- 
ous data and shares in your sanctioned SaaS applications, 
even before the policy has been put in place. This way, data 
exposure and threat risks are caught no matter when they 
occurred, without waiting for an event that causes them to be 
inspected. 


No Performance Impact 


SaaS-based applications appeal to users and organizations 
because they’re convenient, easy to use, and fast. Any secu- 
rity solution that negatively impacts the user experience — 
such as installing additional software and hardware, requiring 
the use of proxies or agents, or anything that adds latency or 
slows performance — will simply drive users to other unsanc- 
tioned SaaS applications. 


Look for a cloud-based security solution that doesn’t require 
network configuration changes or inline deployment, and 
doesn’t affect latency or bandwidth requirements for your 
sanctioned SaaS applications. Native applications on mobile 
devices should also be supported so that users aren’t limited 
to only using web-based access on their devices. 


Glossary 


adware: Pop-up advertising programs that are commonly 
installed with freeware or shareware. 


Ammyy: A remote access application that has been com- 
monly exploited by attackers in vishing (voice phishing) 
attacks. 


anti-AV software: Malware that disables any legitimately 
installed antivirus software on a compromised endpoint, 
thereby preventing automatic detection and removal of mal- 
ware that is subsequently installed by the attacker. Many anti- 
AV programs work by infecting the master boot record (MBR) 
of a target endpoint. 


API: See application programming interface. 


application programming interface (API): A set of protocols, 
routines, and tools used to develop and integrate applications. 


Application Usage and Threat Report: Security research pre- 
pared by Palo Alto Networks’ threat intelligence team, Unit 42, 
that examines global trends across the threat landscape and 
application usage. The report is available for free download at 
www.paloaltonetworks.com. 


AUTR: See Application Usage and Threat Report. 


backdoor: Malware that enables an attacker to bypass normal 
authentication procedures in order to gain access to a com- 
promised system and is often installed as a failover, in case 
other malware is detected and removed from the system. 


blended threat: An exploit that combines multiple types of 
malware and employs multiple attack vectors. 


bootkit: A kernel-mode variant of a rootkit, commonly used to 
attack computers that are protected by full-disk encryption. 
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bot: An individual endpoint that has been infected with 
malware. 


botnet: A network of bots working together and controlled by 
an attacker through command-and-control servers. 


bring your own application (BYOA): A popular trend related 
to BYOD (albeit, less well known) and consumerization in 
which employees are permitted to use personal applications 
in the workplace for work-related and personal business. 


bring your own device (BYOD): A popular trend in which 
employees are permitted to use their personal mobile 
devices, such as smartphones and tablets, in the workplace 
for work-related and personal business. 


BYOA: See bring your own application. 
BYOD: See bring your own device. 

CAGR: See compound annual growth rate. 
CASB: See cloud access security broker. 


cloud access security broker (CASB): Security enforcement 
points, either on-premises or cloud based, between a cloud 
service provider and its customers that provide visibility and 
control to safely enable cloud-based services. 


compound annual growth rate (CAGR): The mean annual 
growth rate over a period of time longer than one year. 


consumerization: The process of consumerization occurs as 
users increasingly find personal technology and applications 
that are more powerful or capable, more convenient, less 
expensive, quicker to install, and easier to use, than corporate 
IT solutions. These user-centric “lifestyle” applications and 
technologies enable individuals to improve their personal 
efficiency, handle their nonwork affairs, and maintain online 
personas, among other things. 


CRM: See customer relationship management. 


Glossary 57 


customer relationship management (CRM): Software used to 
manage and analyze customer interactions and data through- 
out the customer lifecycle. 


data loss prevention (DLP): A security tool that is used to 
detect and prevent certain data, defined by policy, from being 
copied or sent outside of an organization. For example, a 

DLP solution might disable USB drives on user endpoints and 
block (or encrypt) certain data that matches a pattern (such 
as a credit card or Social Security number) from being sent 
via email. 


deep packet inspection (DPI): A packet filtering process that 
examines a network packet’s header information and data 
for policy violations, malware, intrusions, and other poten- 
tial security threats. If necessary, the DPI engine decrypts 
encrypted packets for the purpose of inspection. 


DLP: See data loss prevention. 
DPI: See deep packet inspection. 


Dridex: Dridex is a banking Trojan descended from the 
GameOver Zeus family of malware. 


drive-by download: Advanced malware or an exploit that is 
delivered in the background, without the user’s knowledge, 
usually by taking advantage of a vulnerability in an operating 
system, web browser, or other third-party application. 


dynamic packet filtering: See stateful inspection. 


Dyre/Upatre: Upatre is the name of a malware downloader, 
generally delivered via a macro-based malware Microsoft 
Office document, which then retrieves Dyre, a banking Trojan 
similar in function to GameOver Zeus and its variants. 


exploit: Software or code that takes advantage of a vulner- 
ability in an operating system or application, and causes 
unintended behavior in the operating system or application, 
such as privilege escalation, remote control, or a denial of 
service. 
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File Transfer Protocol (FTP): A standard network protocol 
used to transfer computer files from one host to another over 
TCP ports 20 and 21. 


Financial Industry Regulatory Authority (FINRA): An inde- 
pendent not-for-profit organization responsible for ensuring 
that the U.S. securities industry operates fairly and honestly. 
FINRA: See Financial Industry Regulatory Authority. 

FTP: See File Transfer Protocol. 

Health Insurance Portability and Accountability Act 
(HIPAA): U.S. legislation passed in 1996 that, among other 
things, protects the confidentiality and privacy of protected 
health information (PHI). 

HIPAA: See Health Insurance Portability and Accountability Act. 
HTTP: See Hypertext Transfer Protocol. 

HTTPS: See Hypertext Transfer Protocol over SSL/TLS. 


Hypertext Transfer Protocol (HTTP): The primary communi- 
cation protocol of the Internet. 


Hypertext Transfer Protocol over SSL/TLS (HTTPS): A secure 
communication protocol widely used on the Internet. 


IaaS: See Infrastructure as a Service. 
IM: See instant messenger. 


Infrastructure as a Service (laaS): A category of cloud com- 
puting services in which the customer manages operating 
systems, applications, compute, storage, and networking, but 
the underlying physical cloud infrastructure is maintained by 
the service provider. 


instant messenger (IM): A type of real-time online chat over 
the Internet. 
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intrusion prevention system (IPS): A security appliance 
or software that detects and prevents known vulnerability 
exploits. 


IPS: See intrusion prevention system. 

LDAP: See Lightweight Directory Access Protocol. 
Lightweight Directory Access Protocol: An open standards- 
based protocol for accessing and maintaining distributed 
directory services. 

logic bomb: A program, or portion thereof, designed to per- 
form some malicious function when a predetermined circum- 
stance occurs. 

malware: Malicious software or code that typically damages 
or disables, takes control of, or steals information from a 
computer system. Malware broadly includes botnets, viruses, 
worms, Trojan horses, logic bombs, rootkits, bootkits, back- 
doors, spyware, and adware. 

NAT: See network address translation. 

network address translation (NAT): NAT performs a one-to- 
one mapping of public IP addresses to private IP addresses on 
an internal network. 

NIST: See U.S. National Institute of Standards and Technology. 
P2P: See peer-to-peer. 

PaaS: See Platform as a Service. 

PAT: See port address translation. 

Payment Card Industry Data Security Standard (PCI DSS): 

A proprietary information security standard mandated for 
organizations that handle American Express, Discover, JCB, 


MasterCard or Visa payment cards. 


PCI DSS: See Payment Card Industry Data Security Standard. 
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peer-to-peer (P2P): A distributed application architecture that 
enables sharing between nodes. 


personally identifiable information (PID: Any personal data 
that can potentially be used to identify a specific individual 
such as full name, home address, date of birth, birthplace, 
Social Security number, passport number, driver’s license 
number, and telephone number, among others, as well as 
email address and IP address (in some cases). 


PHI: See protected health information. 
PII: See personally identifiable information. 


Platform as a Service (PaaS): A category of cloud comput- 

ing services in which the customer is provided access to a 
platform for deploying applications and can manage limited 
configuration settings, but the operating system, compute, 
storage, networking, and underlying physical cloud infrastruc- 
ture is maintained by the service provider. 


port address translation (PAT): PAT performs a one-to-many 
mapping of a single public IP address with a unique port 
combination to multiple private IP addresses on an internal 
network. 


protected health information (PHD: Any information about 
health status, healthcare, or healthcare payments that can be 
associated with a specific, identifiable individual. 


RDP: See Remote Desktop Protocol. 


Remote Desktop Protocol (RDP): A proprietary Microsoft pro- 
tocol that provides remote access to a computer. 


rootkit: Malware that provides privileged (root-level) access 
to a computer. 


SaaS: See Software as a Service. 
search engine optimization (SEO): The process of improv- 


ing a website’s ranking in unpaid (or organic) search engine 
results to increase traffic to that website. 
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Secure Sockets Layer/Transport Layer Security (SSL/TLS): A 
transport layer protocol that provides session-based encryp- 
tion and authentication for secure communication between 
clients and servers on the Internet. 


SEO: See search engine optimization. 


service-level agreement (SLA): A contract between a service 
provider and its customers (internal or external) that for- 
mally defines the service that is being provided and specific 
service requirements such as performance, problem manage- 
ment, responsiveness, and availability. The SLA also typically 
includes penalties for noncompliance, such as credits or 
refunds. 


Skype: An application that allows users to make telephone 
calls over the Internet. Additional features include instant 
messaging, file transfer, and video conferencing. 


SLA: See service-level agreement. 
Software as a Service (SaaS): A category of cloud computing 
services in which the customer is provided access to a hosted 


application that is maintained by the service provider. 


spyware: Software that gathers information about a person or 
organization without their knowledge or consent. 


SSL/TLS: See Secure Sockets Layer/Transport Layer Security. 
stateful inspection: Maintains the status of active connections 
through the firewall to dynamically allow inbound replies to 
outbound connections. Also known as dynamic packet filtering. 
TCP: See Transmission Control Protocol. 

TeamViewer: Provides remote control of PCs over the 
Internet, allowing a user to instantly take control over a com- 


puter anywhere on the Internet (even through firewalls). 


Tor: A system that enables users to communicate anony- 
mously over the Internet. 
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Transmission Control Protocol (TCP): A connection-oriented 
protocol responsible for establishing a connection between 
two hosts and guaranteeing the delivery of data and packets 
in the correct order. 


Trojan horse: A program that purports to perform a given 
function, but that actually performs some other (usually mali- 
cious) function. 


UDP: See User Datagram Protocol. 


UltraSurf: Implements a proxy with complete transparency 
and a high level of encryption that enables users to browse 
any website freely. It’s used heavily in countries with Internet 
censorship. 


Upatre/Dyre: See Dyre/Upatre. 


User Datagram Protocol (UDP): A connectionless-oriented 
protocol often used for time-sensitive, low-latency communi- 
cations that don’t require guaranteed delivery. 


U.S. National Institute of Standards and Technology (NIST): 
The U.S. federal agency that is responsible for working with 
industry to develop and apply technology, measurements, 
and standards. 


VBA: See Visual Basic for Applications. 
Vidyo: A video-conferencing software platform. 


virtual private network (VPN): An encrypted tunnel that 
extends a private network over a public network (such as the 
Internet). 


virus: A set of computer instructions whose purpose is to 
embed itself within another computer program in order to 
replicate itself. 


Visual Basic for Applications (VBA): An implementation of 
Microsoft’s event-driven programming language, Visual Basic 6, 
and its associated integrated development environment (IDE). 


Voice over Internet Protocol (VoIP): Technology that enables 
voice communications over IP. 
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VoIP: See Voice over Internet Protocol. 
VPN: See virtual private network. 


vulnerability: A bug or flaw in software that creates a security 
risk that may be exploited by an attacker. 


WM/Concept: The first known macro-based malware, discov- 
ered in 1995. 


worm: Malware that usually has the capability to replicate 
itself from computer to computer without the need for human 
interaction. 
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who find SaaS apps (such as Box and Google 
Drive) that help them to be more productive, 
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